Selfhosted

58061 readers

719 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago

MODERATORS

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz

Authentik Helm woes (discuss.tchncs.de)

submitted 11 hours ago* (last edited 11 hours ago) by Starfighter@discuss.tchncs.de to c/selfhosted@lemmy.world

6 comments fedilink hide all child comments

I'm currently in the long process of rebuilding my declarative homelab using k3s, ArgoCD and NixOS.

I had previously used Keycloak but that always seemed massively overqualified and way too complex for my purposes. With this rebuild I saw my chance to try out Authentik which appears to be in good standing with the homelab community.
They have tons of documentation for pretty much anything which was encouraging to me. Well except for the documentation for their Helm Charts maybe...

Started off with version 2025.12.x, am now onto 2026.02.x and have spent most weekends in between that on getting Authentik to even just deploy to the cluster.
It's partially my fault for attempting to use Secrets initially but even now with hardcoded keys in my git repo the default example chart doesn't work:

values.yaml

authentik:
  existingSecret:
    secretName: authentik-secret

  postgresql: # None of this gets applied at all so I do it manually below...
    password: "somepasswd"

server:
  replicas: 1

  env: # Manually apply all the configuration values. Why am I using Helm charts again?
    - name: AUTHENTIK_POSTGRESQL__HOST
      value: authentik-postgresql
    - name: AUTHENTIK_POSTGRESQL__USER
      value: authentik
    - name: AUTHENTIK_POSTGRESQL__PASSWORD
      value: "somepasswd"
    - name: AUTHENTIK_POSTGRESQL__NAME
      value: authentik

  route:
    main:
      # ...

postgresql:
  enabled: true

  auth: # And set everything here once again
    username: authentik
    password: "somepasswd"
    postgresPassword: "somepasswd"
    usePasswordFiles: false
    database: authentik

  primary:
    persistence:
      size: 4Gi

I started off with the official example and after all these undocumented changes it still only deploys-ish:

With the defaults authentik-server would always try to reach the DB under localhost which doesn't work in the context of this chart/k8s.
So after a while I figured out that the authentik: configuration block doesn't actually do anything and I set all the values the chart should set by hand.

Now the DB connects but the liveliness probe on the authentik-server pod fails. It logs the incoming probe requests but apparently doesn't answer them (correctly) leading to k8s killing the pod.

Sorry for the ramble but I've hit my motivational breaking point with Authentik.
Since the community seems to like it a bit I am left wondering what I'm doing wrong to have this many issues with it.

Did you people have this much trouble with Authentik and what have you switched to instead?

you are viewing a single comment's thread
view the rest of the comments

[–] jrgd@lemmy.zip 1 points 2 hours ago

Coming back and checking the values file posted. Not sure why your authentik block won't get used in your values file. Your current issue of non-starting is likely the Authentik server container starting successfully, but failing liveness while waiting for the worker container(s) that is definitely not spooling up with your current configuration.

Something to denote about Authentik itself that won't be well-explained by the quickstart for the Helm chart itself is that Authentik is split into two containers: server and worker. For most environment variabless and mounted secrets, both the server and worker definitions should have them applied. The chart tends to handle most of the essential shared stuff in the authentik block to prevent the duplication, but secrets will likely need to be mounted for both volumes if using file or env references in the shared config, as well as most env overrides will need to be applied for both.